CN114553484A - Dual access authority control method and system based on two-dimensional security marker - Google Patents

Dual access authority control method and system based on two-dimensional security marker Download PDF

Info

Publication number
CN114553484A
CN114553484A CN202210055842.1A CN202210055842A CN114553484A CN 114553484 A CN114553484 A CN 114553484A CN 202210055842 A CN202210055842 A CN 202210055842A CN 114553484 A CN114553484 A CN 114553484A
Authority
CN
China
Prior art keywords
security
user
query
service resource
access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210055842.1A
Other languages
Chinese (zh)
Other versions
CN114553484B (en
Inventor
周玲
宋奇兵
季惠英
陈云
季学纯
彭晖
孙云枫
翟明玉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nari Technology Co Ltd
Original Assignee
Nari Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nari Technology Co Ltd filed Critical Nari Technology Co Ltd
Priority to CN202210055842.1A priority Critical patent/CN114553484B/en
Publication of CN114553484A publication Critical patent/CN114553484A/en
Application granted granted Critical
Publication of CN114553484B publication Critical patent/CN114553484B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a dual access authority control method and a system based on a two-dimensional security label, which comprises the following steps: and grading the user and the service resources, and performing security marking. The security mark represents the attribute of data security, and is divided into two dimensions of mark type and mark grade, and the security authority of users and service resources is controlled in fine granularity. When accessing the system, the user carries the login certificate, the identification of the service resource to be accessed and the access type to send a request to the authentication service of the system, the authentication service carries out matching operation on the login account and the security label of the service resource to be accessed according to the difference of the access types, judges the double-authority control mode of the role authorization condition of the user and finally judges whether the user has the access control authority of the resource. According to the invention, through a double authority control mode of fine-grained classification control on the security attributes of the accounts and the service resources and user role authorization, the accurate control of system access is realized, and the security of the system access is improved.

Description

Dual access authority control method and system based on two-dimensional security marker
Technical Field
The invention belongs to the technical field of power grid dispatching automation, and particularly relates to a dual access authority control method and system based on a two-dimensional security label.
Background
With the improvement of the automation level of power grid dispatching, it is increasingly important to strengthen authority control to ensure the safety of the power dispatching automation system. A user of a traditional power grid dispatching automation system accesses system resources in a specific role, an access control mechanism only checks the authority of the role, and as long as the user has a certain role, all the authorities of the role can be used, but effective and fine-grained classification and control are not performed on safety levels of different users such as dispatching personnel and management personnel in the system and object resources which can be operated by the users, and the ever-increasing safety requirements of the power dispatching automation system cannot be met.
Disclosure of Invention
The purpose of the invention is as follows: the invention provides a dual access authority control method and system based on a two-dimensional security label, and aims to solve the problem that security levels of object resources operated by different users in an existing power grid dispatching automation system are not effectively classified and controlled.
The technical scheme is as follows: a dual access authority control method based on two-dimensional security mark is to make security mark for the host login account and the object service resource data; the security mark is divided into two dimensions of mark type and mark grade;
when business resource access is carried out, the method comprises the following steps:
step 1: acquiring a user request, wherein the user request carries a login certificate, a service resource identifier RES _ URL to be accessed and an access type ACTIONYPE;
step 2: judging whether the current operation is a query operation based on the access type ACTIONYPE of the current user; if the access type ACTIONYPE is query operation QUERYACTION, determining the access right of the user according to the security authentication of the query type and the user role authentication and returning an authentication result; if the access type ACTIONYPE is a non-query operation, determining the control authority of the user according to the security authentication and the user role authentication of the non-query operation and returning an authentication result.
Further, if the access type ACTIONYPE is query operation QUERYATION, the access right of the user is determined according to the security authentication of the query type and the user role authentication together, and an authentication result is returned, and the method comprises the following steps:
resolving a login account from the login certificate, and acquiring the level configuration USER _ SECURITY _ query of query operation query in the USER SECURITY mark according to the login account query;
obtaining a service resource identifier RES _ URL to be accessed from a user request, and obtaining a level configuration RES _ SECURITY _ QUERY of a query operation QUERY in a service resource SECURITY label to be accessed according to the query of the service resource identifier RES _ URL;
and comparing the level configuration USER _ SECURITY _ query of the USER SECURITY mark with the level configuration RES _ SECURITY _ query of the service resource SECURITY mark to be accessed, if the SECURITY check is passed, performing USER role authentication to determine the access authority of the USER, otherwise, determining that the USER does not have the access authority of the service resource, denying access and returning.
Further, if the access type ACTIONYPE is a non-query type, determining the control authority of the user according to the security authentication of the non-query operation and the user role authentication and returning an authentication result, comprising the following steps:
analyzing a login account from the login certificate, and acquiring a level configuration USER _ SECURITY _ query of a query operation QUERYACTION in the USER SECURITY mark and a level configuration USER _ SECURITY _ LEVER corresponding to the current operation type according to the login account query;
obtaining a service resource identifier RES _ URL to be accessed from a user request, and according to the service resource identifier RES _ URL, inquiring and obtaining a level configuration RES _ SECURITY _ QUERY of an inquiring operation QUERYACTION in a service resource SECURITY label to be accessed and a level configuration RES _ SECURITY _ LEVER corresponding to the current operation type in the service resource SECURITY label to be accessed;
matching operation level configuration USER _ SECURITY _ query, level configuration RES _ SECURITY _ query and level configuration RES _ SECURITY _ query, performing USER role authentication to determine the control authority of the USER if the SECURITY check is passed, otherwise, determining that the USER does not have the control authority of the service resource, rejecting and returning the authentication result.
Further, the user role authentication includes the following steps:
analyzing a login account from the login voucher, and obtaining an authorized role of the login account through the login account;
if the login account is configured with the role, judging whether the role has the control authority of the service resource according to the service resource identifier RES _ URL to be accessed in the user request, and returning an authentication result;
if the login account is not configured with the role, inquiring whether a default role exists, if so, judging whether the default role has the control authority of the service resource according to the service resource identifier RES _ URL to be accessed in the user request, and returning an authentication result; otherwise, the user is judged not to have the control authority of the service resource, and refused and returned.
The invention also discloses a dual access authority control system based on the two-dimensional security label, which comprises the following modules:
the user request module is used for acquiring a user request, wherein the user request carries a login certificate, a service resource identifier RES _ URL to be accessed and an access type ACTIONYPE;
the access type analysis module is used for judging whether the current operation is an inquiry operation type or not according to the access type ACTIONYPE in the user request;
a query operation mode result returning module, which is used for finally determining the access authority of the user according to the security authentication of the query operation and the user role authentication and returning the authentication result when the access type ACTIONYPE requested by the current user is the query operation QUERYATION;
and the non-query operation mode result returning module is used for finally determining the access authority of the user according to the security authentication and the user role authentication of the non-query operation and returning an authentication result when the access type ACTIONYPE requested by the current user is the non-query operation.
Further, the query operation mode result returning module includes:
the query operation SECURITY mark acquisition module is used for analyzing a login account from the login certificate when the access type ACTIONYPE is a query operation, acquiring the USER _ SECURITY _ QUERY of the level configuration of QUERYACTION in the USER SECURITY mark according to the query of the login account, acquiring the RES _ URL of the service resource identifier to be accessed from the USER request, and acquiring the RES _ SECURITY _ QUERYLE of the level configuration of QUERYACTION in the service resource SECURITY mark according to the query of the service resource identifier;
and the query operation SECURITY authentication module is used for passing the SECURITY check and calling the authorization role judgment module when the level configuration USER _ SECURITY _ query is higher than or equal to the level configuration RES _ SECURITY _ query, otherwise, judging that the USER does not have the access right of the service resource, refusing to access and returning.
Further, the non-query operation mode result returning module comprises:
the non-query operation SECURITY mark acquisition module is used for analyzing a login account from a login certificate when the access type ACTIONYPE is a non-query operation, acquiring the level configuration USER _ SECURITY _ QUERY of the query operation QUERY in the USER SECURITY mark and the level configuration USER _ SECURITY _ LEVER corresponding to the current operation type according to the login account query, acquiring a service resource identifier RES _ URL to be accessed from a USER request, and acquiring the level configuration RES _ SECURITY _ QUERY of the query operation QUERY in the service resource SECURITY mark and the level configuration RES _ SECURITY _ LEVER corresponding to the current operation type according to the service resource identifier query to be accessed;
and the non-query operation SECURITY authentication module is used for passing the SECURITY check and calling the USER role authentication module when the level configuration USER _ SECURITY _ query is higher than or equal to the level configuration RES _ SECURITY _ query and the level configuration USER _ SECURITY _ query is higher than or equal to the level configuration RES _ SECURITY _ query, otherwise, judging that the USER does not have the control authority of the service resource, and rejecting and returning the authentication result.
Further, the user role authentication module is used for resolving a login account from the login certificate and obtaining an authorized role of the login account through the login account; if the login account is configured with the role, judging whether the role has the access authority of the service resource according to the service resource identifier to be accessed in the user request, and returning an authentication result; if the login account is not configured with the role, inquiring whether a default role is configured; if the default role exists, judging whether the default role has the access authority of the service resource according to the service resource identifier to be accessed in the user request; otherwise, judging that the user does not have the access control authority of the service resource, and refusing and returning the authentication result.
Further, the method also comprises the following steps:
and the security marking module is used for carrying out security marking on the login account and the service resources.
Further, the security mark is classified into a mark type and a mark grade.
Has the advantages that: the invention respectively obtains the security mark of the account and the security mark of the service resource to be accessed according to the account information and the service resource identifier to be accessed in the login voucher, and finally judges whether the user has the access control authority of the resource or not by carrying out two-dimensional classification and matching operation on the mark type and the mark grade on the security mark and judging the double authority control mode of the role authorization condition of the user. The invention carries out fine-grained security marking on the subject account and the object access resource, and carries out precise control on the security attribute of the login user and the service resource through a dual control mode combining mandatory access control based on two-dimensional security marking and role-based access control, thereby effectively reducing the possibility of misoperation and unauthorized operation of the user and improving the access control security of the power dispatching automation system.
Drawings
Fig. 1 is a flow of a dual access right control method based on a two-dimensional security label.
Detailed Description
The technical solution of the present invention will be further explained with reference to the accompanying drawings and embodiments.
After the user successfully logs in the system, the login credential information is obtained, the login credential comprises a login account loginame, the user carrying the login credential, a service resource identifier RES _ URL to be accessed and an access type actiionctype, a request is sent to the authentication service of the system, and the authentication service of the system judges whether the login account loginame has the access control authority of the service resource to be accessed according to the steps shown in fig. 1. The method of the invention makes security marks on the data of the subject login account and the object service resource, and divides the security marks into two dimensions of mark type and mark grade, and controls the security attributes of the user and the service resource with fine granularity. When accessing the system, the method comprises the following steps:
step 1: and acquiring a user request carrying a login certificate, a service resource identifier RES _ URL to be accessed and an access type ACTIONYPE.
Step 2: judging whether the current operation is a query operation based on the access type ACTIONYPE of the current user;
and step 3: in step 2, if the access type ACTIONYPE is the query operation QUERYACTION, step 4 is executed; if the access type ACTIONYPE is a non-query type, step 5 is performed.
And 4, step 4: when the access type ACTIONTY is query operation QUERYACTION, a login account is analyzed from a login certificate, the level configuration USER _ SECURITY _ QUERYLEE of QUERYACTION in a USER SECURITY mark is obtained according to the login account query, the service resource identifier RES _ URL to be accessed is obtained from a USER request, the level configuration RES _ SECURITY _ QUERYLEE of QUERYACTION in the service resource SECURITY mark is obtained according to the service resource identifier query to be accessed, the mark level USER _ SECURITY _ QUERYLEE of the operation USER and the mark level RES _ SECURITY _ QUERYLEE of the service resource to be accessed are compared, if the SECURITY check is passed, the step 6 is executed, if the USER does not have the access right of the service resource, the access is rejected, and the result is returned.
And 5: when the access type ACTIONTY is a non-query type, resolving a login account from a login certificate, obtaining a USER _ SECURITY _ QUERY of the level configuration of QUERYATION in a USER SECURITY label and a USER _ SECURITY _ LEVER corresponding to the current operation type according to the login account query, obtaining a service resource identifier RES _ URL to be accessed from a USER request, obtaining the level configuration RES _ SECURITY _ QUERYLER of the QUERYATION in the service resource SECURITY label and a level configuration RES _ SECURITY _ LEVER corresponding to the current operation type according to the service resource identifier query to be accessed, matching the query label level USER _ SECURITY _ QUERYLER of the USER, the SECURITY label level USER _ SECURITY _ LEVER of the current operation type and the query type label level RES _ SECURITY _ LEVER of the service resource to be accessed, and if the USER does not have the SECURITY check, otherwise, executing the SECURITY check step of the USER by the USER SECURITY check, otherwise, if the USER SECURITY check is not successful, rejecting and returning an authentication result;
step 6: obtaining the authorized role of the login account through the login account LOGINNAME in the user request; if the login user configures the role, judging whether the role has the control authority of the service resource according to the service resource identifier to be accessed in the user request, and returning an authentication result; if the login account is not configured with the role, whether a default role exists is inquired: if yes, judging whether the default role has the control authority of the service resource according to the service resource identifier RES _ URL to be accessed in the user request, and returning an authentication result; otherwise, the user is judged not to have the control authority of the service resource, and refused and returned.
The method of the invention makes security marks on the subject login account and the object service resource data, and divides the security marks into two dimensions of mark type and mark grade, and controls the security attributes of users and service resources with fine granularity. The access control of the system authority is realized by combining the mandatory access control based on the two-dimensional security label and the access control based on the role, the possibility of misoperation and unauthorized operation of a user is effectively reduced, and the access control capability of the power dispatching automation system is improved.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow in the flow diagrams can be implemented by computer program instructions. These computer program instructions may be provided to a computer to cause the computer to perform instructions to implement the functions specified in the flowchart or flowcharts.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows.
These computer program instructions may also be loaded onto a computer to cause a series of operational steps to be performed on the computer to perform a process such that the instructions which execute on the computer provide steps for implementing the functions specified in the flowchart flow or flows.
The above description is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, several modifications and variations can be made without departing from the technical principle of the present invention, and these modifications and variations should also be regarded as the protection scope of the present invention.

Claims (10)

1. A dual access authority control method based on two-dimensional security marks is characterized in that:
carrying out security marking on the host login account and the object service resource data; the security mark is divided into two dimensions of mark type and mark grade;
when business resource access is carried out, the method comprises the following steps:
step 1: acquiring a user request, wherein the user request carries a login certificate, a service resource identifier RES _ URL to be accessed and an access type ACTIONYPE;
step 2: judging whether the current operation is a query operation based on the access type ACTIONYPE of the current user; if the access type ACTIONYPE is query operation QUERYACTION, determining the access right of the user according to the security authentication of the query type and the user role authentication and returning an authentication result; if the access type ACTIONYPE is a non-query operation, determining the control authority of the user according to the security authentication and the user role authentication of the non-query operation and returning an authentication result.
2. The dual access right control method based on two-dimensional security label as claimed in claim 1, wherein: if the access type ACTIONYPE is the query operation QUERYACTION, the access authority of the user is determined according to the security authentication of the query type and the user role authentication together, and an authentication result is returned, wherein the method comprises the following steps:
resolving a login account from the login certificate, and acquiring the level configuration USER _ SECURITY _ query of query operation query in the USER SECURITY mark according to the login account query;
obtaining a service resource identifier RES _ URL to be accessed from a user request, and obtaining a level configuration RES _ SECURITY _ QUERY of a query operation QUERY in a service resource SECURITY label to be accessed according to the query of the service resource identifier RES _ URL;
and comparing the level configuration USER _ SECURITY _ query of the USER SECURITY mark with the level configuration RES _ SECURITY _ query of the service resource SECURITY mark to be accessed, if the SECURITY check is passed, performing USER role authentication to determine the access authority of the USER, otherwise, determining that the USER does not have the access authority of the service resource, denying access and returning.
3. The dual access right control method based on two-dimensional security label as claimed in claim 1, wherein: if the access type ACTIONYPE is a non-query type, determining the control authority of the user according to the security authentication of the non-query operation and the user role authentication and returning an authentication result, comprising the following steps:
analyzing a login account from the login certificate, and acquiring a level configuration USER _ SECURITY _ query of a query operation QUERYACTION in the USER SECURITY mark and a level configuration USER _ SECURITY _ LEVER corresponding to the current operation type according to the login account query;
obtaining a service resource identifier RES _ URL to be accessed from a user request, and according to the service resource identifier RES _ URL, inquiring to obtain a level configuration RES _ SECURITY _ QUERY of an inquiry operation QUERY in a service resource SECURITY label to be accessed and a level configuration RES _ SECURITY _ LEVER corresponding to the current operation type in the service resource SECURITY label to be accessed;
matching operation level configuration USER _ SECURITY _ query, level configuration RES _ SECURITY _ query and level configuration RES _ SECURITY _ query, performing USER role authentication to determine the control authority of the USER if the SECURITY check is passed, otherwise, determining that the USER does not have the control authority of the service resource, rejecting and returning the authentication result.
4. A dual access right control method based on two-dimensional security label according to claim 2 or 3, characterized in that: the user role authentication comprises the following steps:
analyzing a login account from the login voucher, and obtaining an authorized role of the login account through the login account;
if the login account is configured with the role, judging whether the role has the control authority of the service resource according to the service resource identifier RES _ URL to be accessed in the user request, and returning an authentication result;
if the login account is not configured with the role, inquiring whether a default role exists, if so, judging whether the default role has the control authority of the service resource according to the service resource identifier RES _ URL to be accessed in the user request, and returning an authentication result; otherwise, the user is judged not to have the control authority of the service resource, and refused and returned.
5. A dual access right control system based on two-dimensional security marks is characterized in that: the system comprises the following modules:
the user request module is used for acquiring a user request, wherein the user request carries a login certificate, a service resource identifier RES _ URL to be accessed and an access type ACTIONYPE;
the access type analysis module is used for judging whether the current operation is an inquiry operation type or not according to the access type ACTIONYPE in the user request;
the query operation mode result returning module is used for finally determining the access authority of the user according to the security authentication and the user role authentication of the query operation and returning an authentication result when the access type ACTIONYPE requested by the current user is the query operation QUERYATION;
and the non-query operation mode result returning module is used for finally determining the access authority of the user according to the security authentication and the user role authentication of the non-query operation and returning an authentication result when the access type ACTIONYPE requested by the current user is the non-query operation.
6. The system of claim 5, wherein the query operation mode result returning module comprises:
the query operation SECURITY mark acquisition module is used for analyzing a login account from the login certificate when the access type ACTIONYPE is a query operation, acquiring the USER _ SECURITY _ QUERY of the level configuration of QUERYACTION in the USER SECURITY mark according to the query of the login account, acquiring the RES _ URL of the service resource identifier to be accessed from the USER request, and acquiring the RES _ SECURITY _ QUERYLE of the level configuration of QUERYACTION in the service resource SECURITY mark according to the query of the service resource identifier;
and the query operation SECURITY authentication module is used for passing the SECURITY check and calling the authorization role judgment module when the level configuration USER _ SECURITY _ query is higher than or equal to the level configuration RES _ SECURITY _ query, otherwise, judging that the USER does not have the access right of the service resource, refusing to access and returning.
7. The dual access right control system based on two-dimensional security label as claimed in claim 5, wherein said non-query operation mode result returning module comprises:
the non-query operation SECURITY mark acquisition module is used for analyzing a login account from a login certificate when the access type ACTIONYPE is a non-query operation, acquiring the level configuration USER _ SECURITY _ QUERY of the query operation QUERY in the USER SECURITY mark and the level configuration USER _ SECURITY _ LEVER corresponding to the current operation type according to the login account query, acquiring a service resource identifier RES _ URL to be accessed from a USER request, and acquiring the level configuration RES _ SECURITY _ QUERY of the query operation QUERY in the service resource SECURITY mark and the level configuration RES _ SECURITY _ LEVER corresponding to the current operation type according to the service resource identifier query to be accessed;
and the non-query operation SECURITY authentication module is used for passing the SECURITY check and calling the USER role authentication module when the level configuration USER _ SECURITY _ query is higher than or equal to the level configuration RES _ SECURITY _ query and the level configuration USER _ SECURITY _ query is higher than or equal to the level configuration RES _ SECURITY _ query, otherwise, judging that the USER does not have the control authority of the service resource, and rejecting and returning the authentication result.
8. A two-dimensional security label based dual access right control system according to claim 6 or 7, characterized in that: the user role authentication module is used for analyzing a login account from the login certificate and obtaining the authorized role of the login account through the login account; if the login account is configured with the role, judging whether the role has the access authority of the service resource according to the service resource identifier to be accessed in the user request, and returning an authentication result; if the login account is not configured with the role, inquiring whether a default role is configured; if the default role exists, judging whether the default role has the access authority of the service resource according to the service resource identifier to be accessed in the user request; otherwise, judging that the user does not have the access control authority of the service resource, and refusing and returning the authentication result.
9. A dual access right control system based on two-dimensional security label according to claim 5, characterized in that: further comprising:
and the security marking module is used for carrying out security marking on the login account and the service resources.
10. A two-dimensional security label based dual access right control system according to claim 9, characterized in that: the security mark is classified into a mark type and a mark grade.
CN202210055842.1A 2022-01-18 2022-01-18 Dual access right control method and system based on two-dimensional security mark Active CN114553484B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210055842.1A CN114553484B (en) 2022-01-18 2022-01-18 Dual access right control method and system based on two-dimensional security mark

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210055842.1A CN114553484B (en) 2022-01-18 2022-01-18 Dual access right control method and system based on two-dimensional security mark

Publications (2)

Publication Number Publication Date
CN114553484A true CN114553484A (en) 2022-05-27
CN114553484B CN114553484B (en) 2024-05-24

Family

ID=81671213

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210055842.1A Active CN114553484B (en) 2022-01-18 2022-01-18 Dual access right control method and system based on two-dimensional security mark

Country Status (1)

Country Link
CN (1) CN114553484B (en)

Citations (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101631116A (en) * 2009-08-10 2010-01-20 中国科学院地理科学与资源研究所 Distributed dual-license and access control method and system
US20100027542A1 (en) * 2007-06-04 2010-02-04 Huawei Technologies Co., Ltd. Method, device and system for multicast service authorization control
WO2011126312A2 (en) * 2010-04-06 2011-10-13 Samsung Electronics Co., Ltd. Method and apparatus for managing remote access authority in upnp remote access service
CN103078859A (en) * 2012-12-31 2013-05-01 普天新能源有限责任公司 Service system authority management method, equipment and system
US20130246931A1 (en) * 2003-12-31 2013-09-19 Checkfree Corporation User association of a computing application with a contact in a contact list
CN103532981A (en) * 2013-10-31 2014-01-22 中国科学院信息工程研究所 Identity escrow and authentication cloud resource access control system and method for multiple tenants
CN105471847A (en) * 2015-11-16 2016-04-06 浙江宇视科技有限公司 User information management method and user information management device
CN106845175A (en) * 2015-12-04 2017-06-13 方正国际软件(北京)有限公司 The establishing method and device of a kind of data permission
US20180316608A1 (en) * 2017-04-27 2018-11-01 At&T Intellectual Property I, L.P. Method and apparatus for selecting processing paths in a software defined network
CN110427747A (en) * 2019-06-20 2019-11-08 中国科学院信息工程研究所 A kind of authentication identifying method and device for supporting service security to mark
CN111552936A (en) * 2020-04-26 2020-08-18 国电南瑞科技股份有限公司 Cross-system access right control method and system based on scheduling mechanism level
CN112039910A (en) * 2020-09-04 2020-12-04 苏州浪潮智能科技有限公司 Method, system, equipment and medium for unified management of authentication and authority
CN112073400A (en) * 2020-08-28 2020-12-11 腾讯科技(深圳)有限公司 Access control method, system and device and computing equipment
CN113098695A (en) * 2021-04-21 2021-07-09 金陵科技学院 Micro-service unified authority control method and system based on user attributes
CN113239344A (en) * 2021-05-12 2021-08-10 建信金融科技有限责任公司 Access right control method and device

Patent Citations (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130246931A1 (en) * 2003-12-31 2013-09-19 Checkfree Corporation User association of a computing application with a contact in a contact list
US20100027542A1 (en) * 2007-06-04 2010-02-04 Huawei Technologies Co., Ltd. Method, device and system for multicast service authorization control
CN101631116A (en) * 2009-08-10 2010-01-20 中国科学院地理科学与资源研究所 Distributed dual-license and access control method and system
WO2011126312A2 (en) * 2010-04-06 2011-10-13 Samsung Electronics Co., Ltd. Method and apparatus for managing remote access authority in upnp remote access service
CN103078859A (en) * 2012-12-31 2013-05-01 普天新能源有限责任公司 Service system authority management method, equipment and system
CN103532981A (en) * 2013-10-31 2014-01-22 中国科学院信息工程研究所 Identity escrow and authentication cloud resource access control system and method for multiple tenants
CN105471847A (en) * 2015-11-16 2016-04-06 浙江宇视科技有限公司 User information management method and user information management device
CN106845175A (en) * 2015-12-04 2017-06-13 方正国际软件(北京)有限公司 The establishing method and device of a kind of data permission
US20180316608A1 (en) * 2017-04-27 2018-11-01 At&T Intellectual Property I, L.P. Method and apparatus for selecting processing paths in a software defined network
CN110427747A (en) * 2019-06-20 2019-11-08 中国科学院信息工程研究所 A kind of authentication identifying method and device for supporting service security to mark
CN111552936A (en) * 2020-04-26 2020-08-18 国电南瑞科技股份有限公司 Cross-system access right control method and system based on scheduling mechanism level
CN112073400A (en) * 2020-08-28 2020-12-11 腾讯科技(深圳)有限公司 Access control method, system and device and computing equipment
CN112039910A (en) * 2020-09-04 2020-12-04 苏州浪潮智能科技有限公司 Method, system, equipment and medium for unified management of authentication and authority
CN113098695A (en) * 2021-04-21 2021-07-09 金陵科技学院 Micro-service unified authority control method and system based on user attributes
CN113239344A (en) * 2021-05-12 2021-08-10 建信金融科技有限责任公司 Access right control method and device

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
XIRUO LIU; WADE TRAPPE; YANYONG ZHANG: ""Secure Name Resolution for Identifier-to-Locator Mappings in the Global Internet"", 《2013 22ND INTERNATIONAL CONFERENCE ON COMPUTER COMMUNICATION AND NETWORKS (ICCCN)》, 24 October 2013 (2013-10-24) *
季惠英 等: ""面向新一代调控系统业务场景的权限管理""面向新一代调控系统业务场景的权限管理"", 《计算机系统应用》, pages 1 - 7 *
郭晓奇;: "论信息系统中的访问控制", 电子技术与软件工程, no. 11, 1 June 2020 (2020-06-01) *

Also Published As

Publication number Publication date
CN114553484B (en) 2024-05-24

Similar Documents

Publication Publication Date Title
CN111552936B (en) Cross-system access right control method and system based on scheduling mechanism level
CN109815704B (en) Safety detection method and system for Kubernetes cloud native application
CN102144193B (en) Method for granting authorization to access a computer-based object in an automation system, computer program, and automation system
CN103078859A (en) Service system authority management method, equipment and system
CN110855599A (en) Multi-tenant access control method and device and computer readable storage medium
CN110263566B (en) Method for detecting and classifying authority-raising behaviors of massive logs
CN115130122A (en) Big data security protection method and system
CN113132311A (en) Abnormal access detection method, device and equipment
CN112134848A (en) Fusion media cloud self-adaptive access control method, device, terminal and medium
CN115622803A (en) Authority control system and method based on protocol analysis
CN114510201A (en) Printing control method, printing control system and storage medium
CN114553484B (en) Dual access right control method and system based on two-dimensional security mark
CN116090015B (en) Intelligent authority application management system and method based on big data
CN113051603A (en) Cloud service interaction method combining cloud computing and information digitization and big data platform
CN112149112A (en) Enterprise information security management method based on authority separation
CN109726187B (en) Hadoop-oriented adaptive permission control method and device
CN107124429B (en) Network service safety protection method and system based on double data table design
CN110717192B (en) Big data security oriented access control method based on Key-Value accelerator
CN114915453A (en) Access response method and device
CN113704792A (en) Identification data access authority control method based on industrial internet identification coding specification
CN110427747B (en) Identity authentication method and device supporting service security mark
CN112966235A (en) Big data component access control method and system of intelligent education platform
CN110457268B (en) File operation auditing method and device supporting business security marking
CN112785130B (en) Website risk level identification method, device, equipment and storage medium
CN116881880B (en) Space-time data management system and space-time data service resource cooperative scheduling method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant